Default client keytab name
Simo Sorce
simo at redhat.com
Mon Jul 23 13:38:59 EDT 2012
On Mon, 2012-07-23 at 11:53 -0400, Sam Hartman wrote:
> >>>>> "Nico" == Nico Williams <nico at cryptonector.com> writes:
>
>
> Nico> But if a daemon like gssd is trying to use said keytab then
> Nico> we're back to the same problem as with ccaches. Even w/o a
> Nico> daemon.
>
> While I think we should consider gssd, and while I'd like to find a
> solution that works for everything including gssd, I consider gssd kind
> of special.
>
> My primary use case here is getting rid of kstart not gssd.
>
> Even now I don't run across a lot of NFSv4 with Kerberos; I run across
> other Kerberos services far more.
> However, I do agree that client keytabs could be very useful for gssd.
>
>
> I think that looking up pwnam(geteuid()) could work for gssd. You'd
> need to be careful if /etc was NFS mounted not to cause recursion with
> getpwnam(), but that's managable.
We switched our stuff to use UIDs to avoif getpwnam() in gssd.
Names are more ambiguous than UIDs and also assume the nsswitch service
is always available. Admittedly that is almost always the case when we
use sssd as it has an offline cache, but environments where nss_ldap is
still used may have issues.
But you can choose whatever build variable as long as I can select uid
based dirs/files in configure as the default for Fedora.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the krbdev
mailing list